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Preface 



The Department of Homeland Security (DHS) Office of Inspector General (OIG) was established by 
the Homeland Security Act of 2002 (Public Law 107-296) by amendment to the Inspector General 
Act of 1978. This is one of a series of audit, inspection, and special reports prepared as part of our 
oversight responsibilities to promote economy, efficiency, and effectiveness within the department. 

The attached report presents the results of an audit to evaluate DHS' implementation of the Office of 
Management and Budget Circular No. A-123, Management's Responsibility for Internal Control. 
We contracted with the independent public accounting firm KPMG LLP (KPMG) to perform the 
audit. KPMG is responsible for the attached report dated April 30, 2009, and the conclusions 
expressed in it. We do not express opinions on DHS' financial statements, internal controls, or 
provide conclusions on compliance with laws and regulations. 

The recommendations herein have been discussed in draft with those responsible for 
implementation. We trust this report will result in more effective, efficient, and 
economical operations. We express our appreciation to all of those who contributed to the 
preparation of this report. 




Richard L. Skinner 
Inspector General 



KPMG LLP 

2001 M Street, NW 
Washington, DC 20036 



April 30, 2009 

Ms. Anne Richards 

Department of Homeland Security 

Office of the Inspector General 

Ms. Peggy Sherry 

Department of Homeland Security 

Deputy Chief Financial Officer 

This report presents the results of our work conducted to address the performance audit objectives 
relative to the Department of Homeland Security's (DHS or the Department) process over evaluating its 
internal control over financial reporting (ICOFR) in accordance with the Office of Management and 
Budget (OMB) Circular No. A- 123, Management's Responsibility for Internal Control. 

This performance audit was designed to meet the objectives identified in the Objectives, Scope, and 
Methodology section of this report. Our audit procedures were performed over the fiscal year (FY) 
2008 OMB Circular No. A-123 work papers developed by the Department's Internal Control over 
Financial Reporting Program Management Office (ICOFR PMO). Interviews with DHS management 
and other testwork were performed at various times through February 15, 2009, and our results reported 
herein are as of February 15, 2009. 

We conducted this performance audit in accordance with generally accepted government auditing 
standards (GAGAS). Those standards require that we plan and perform the audit to obtain sufficient, 
appropriate evidence to provide a reasonable basis for our findings and conclusions based on our audit 
objectives. We believe that the evidence obtained provides a reasonable basis for our findings based on 
our audit objectives. 

The performance audit did not constitute an audit of financial statements in accordance with GAGAS. 
KPMG was not engaged to, and did not, render an opinion on the Department's internal controls over 
financial reporting or over financial management systems (for purposes of OMB Circular No. A- 127, 
Financial Management Systems, July 23, 1993, as revised). Furthermore, KPMG is not rendering an 
opinion on the conclusions made by management on their Secretary's Assurance Statement nor did we 
evaluate the design of internal controls performed by management. KPMG cautions that projecting the 
results of our evaluation to future periods is subject to risks because of changes in conditions or because 
compliance with controls may deteriorate. 




KPMG LLP, a U.S. limited liability partnership, is the U.S. 
member firm of KPMG International, a Swiss cooperative. 
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EXECUTIVE SUMMARY 



The Department of Homeland Security (DHS or the Department) has developed the Internal Control 
over Financial Reporting Program Management Office (ICOFR PMO) to lead the Department's efforts 
to comply with the requirements of the Office of Management and Budget's (OMB) Circular No. A- 
123, Management's Responsibility for Internal Control. The ICOFR PMO plans, coordinates, and 
oversees the A- 123 process at DHS and its components. In addition, the ICOFR PMO develops the 
final Secretary's Assurance Statement based on the results of testwork at the various components. 

The objectives of this performance audit were to determine whether: (1) DHS planned and implemented 
its assessment of internal controls over financial reporting in accordance with the requirements of OMB 
Circular No. A- 123; (2) DHS performed sufficient test work over processes identified as high-risk; and 
(3) DHS' fiscal year (FY) 2008 Assurance Statement reflects the status of its internal control over 
financial reporting as identified through its testing. KPMG was not engaged to, and did not, render an 
opinion on the Department's internal controls over financial reporting or over financial management 
systems. Our audit was performed using the criteria in Appendix A of OMB Circular No. A-123, and 
using the methodology described in the Objectives, Scope, and Methodology section below. 

Because DHS is a relatively new agency that is large with unique transformational challenges, OMB 
approved a multi-year implementation of the Circular, which it is designed to implement control testing 
over multiple years. This multi-year implementation plan is documented in DHS' ICOFR Playbook. 
Based on materiality calculations and a risk-based prioritization, DHS is addressing pervasive high risk 
areas first, which address remediation of material weaknesses. This approach to focus on remediation 
of material weaknesses where necessary is permitted by OMB Circular No. A-123. In addition, DHS is 
continually working with OMB and believes this multi-year approach to be the prudent course of action 
to ensure eventual full compliance with OMB Circular No. A-123. In FY 2008, the United States Coast 
Guard (USCG) and Federal Emergency Management Agency (FEMA) only addressed remediation of 
material weaknesses in accordance with this plan. FY 2008 is the third year of implementation. 

Although DHS obtained OMB approval for its multi-year implementation plan to implement control 
testing over multiple years, it will not be in full compliance with OMB Circular No. A-123 until the 
multi-year plan is completed and fully implemented across all DHS components. In addition, we noted 
several areas where DHS could enhance its A-123 review process. Specifically, we noted that the 
planning phase was not clearly documented to indicate how the risk assessment process resulted in the 
components and/or processes to be tested. Monitoring procedures were not clearly documented and 
were not robust enough to identify control weaknesses that were reported as significant deficiencies by 
the external auditor. In addition, management did not identify some key controls that may have 
identified additional control deficiencies, or fully document its testing process, including the sampling 
approach. 

We recommend that DHS continue its multi-year implementation plan of OMB Circular No. A-123 to 
ensure full compliance. Management should also enhance its documentation over the planning, testing, 
and monitoring processes. In addition, management should ensure that it performs a detailed analysis 
to identify key controls that affect significant processes. 
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BACKGROUND 



Internal control over financial reporting is designed to provide reasonable assurance about the reliability 
of financial reporting. OMB Circular No. A- 123 (the Circular) provides guidance to Federal managers 
on improving the accountability and effectiveness of Federal programs and operations by establishing, 
assessing, correcting, and reporting on internal control. It defines management's responsibilities related 
to internal control and the process for assessing internal control effectiveness, and provides specific 
requirements for conducting management's assessment of the effectiveness of internal control over 
financial reporting. 

According to the Circular, "agencies and individual Federal managers must take systematic and 
proactive measures to (i) develop and implement appropriate, cost-effective internal control for results- 
oriented management; (ii) assess the adequacy of internal control in Federal programs and operations; 
(iii) separately assess and document internal control over financial reporting consistent with the process 
defined in Appendix A [of the Circular]; (iv) identify needed improvements; (v) take corresponding 
corrective action; and (vi) report annually on internal control through management assurance 
statements." 

The Department's ICOFR PMO within the Office of the Chief Financial Officer oversees the 
implementation of the Circular across DHS. The ICOFR PMO develops the overall A- 123 testing plan, 
coordinates meetings, monitors status at the components, and compiles the Secretary's Assurance 
Statement based on results of testwork. 

Because DHS is a relatively new multifaceted agency with unique transformational challenges, OMB 
approved a multi-year implementation of the Circular. This plan is documented in DHS' ICOFR 
Playbook. Based on materiality calculations and a risk-based prioritization, DHS is addressing 
pervasive high risk areas first, which address remediation of material weaknesses. In FY 2008, the 
United States Coast Guard (USCG) and Federal Emergency Management Agency (FEMA) did not 
assess internal control, but instead only addressed remediation of material weaknesses in accordance 
with this plan. FY 2008 is the third year of implementation. 

OBJECTIVES, SCOPE, AND METHODOLOGY 

Objectives 

The objective of this performance audit was to determine whether: (1) DHS planned and implemented 
its assessment of internal controls over financial reporting in accordance with the requirements of OMB 
Circular No. A- 123; (2) DHS performed sufficient test work over processes identified as high-risk; and 
(3) DHS' FY 2008 Assurance Statement reflects the status of its internal control over financial 
reporting as identified through its testing. KPMG was not engaged to, and did not, render an opinion on 
the Department's internal controls over financial reporting or over financial management systems. We 
did not evaluate any corrective actions taken by management during our audit. Recommendations are 
provided to help address findings identified during our performance audit. 

Scope 

The scope of this performance audit includes the testwork and related workpapers completed by the 
ICOFR PMO (and its contractors) over the FY 2008 internal controls over financial reporting, and the 
resulting FY 2008 Secretary's Assurance Statement. Our audit was performed between January 5, 2009 
and February 15, 2009. 
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Methodology and Criteria 

We conducted this performance audit in accordance with the standards applicable to such audits 
contained in the Government Auditing Standards, issued by the Comptroller General of the United 
States. Our methodology consisted of the following approach: 

• Confirm whether management established an organizational structure to effectively implement, 
direct, and oversee the assessment process. The Circular suggests a Senior Management 
Council and a Senior Assessment Team or equivalent structures. 

• Confirm whether management evaluated controls at the entity level and considered the 
components of internal control as defined in the Circular and GAO's Standards for Internal 
Control in the Federal Government. 

• Confirm whether management established an approach to determine the scope of the 
assessment. The scope of the assessment includes identifying significant financial reports and 
key processes/controls/transactions. 

• Confirm whether management used a risk-based approach to testing and whether the test plan 
reflects an efficient approach to testing based on materiality and risk. 

• Confirm whether management evaluated and documented the processes and controls as required 
by Appendix A of the Circular. 

• Confirm whether management evaluated and documented IT general controls. 

• Confirm whether management evaluated and documented compliance with key laws and 
regulations. 

• Confirm whether management documented its decisions on determining the scope, materiality, 
testing methodology, and other significant decisions related to this assessment. Management 
also documented its decisions for what, when, where, and how to test the controls, and 
documented the tests and results. Management can and should use discretion when developing 
the testing approach that is required to support its statement of assurance. The management 
assurance required by the agency head should be directly related to the amount of test work 
performed, as determined by scope, risk, and materiality determinations made by management. 

• Confirm whether management used the results of its testing, and considered information 
gathered during the financial statement audit and other audits or reviews, to support its 
conclusion whether internal controls over financial reporting were properly designed and 
operating effectively. 

• Identify whether management's assurance statement describes any scope limitations, and is 
consistent with the results of the testing process. 

• Confirm whether management submitted a multi-year implementation plan that: (i) states why 
the agency requires more than one year to execute its plan; (ii) provides for identifying, testing, 
and assessing a significant percentage of its key business processes and controls in each year; 
(iii) demonstrates how the agency will meet the OMB Circular No. A- 123, Appendix A 
requirements; and (iv) is reviewed and accepted by OMB. 

• Confirm whether implementation of the assessment process is in substantial accordance with 
the OMB-approved implementation plan. 

• Confirm whether submission of the assurance statement by the agency head accurately reflects 
the amount of work completed (e.g., agencies that are implementing a multi-year plan will need 
to identify a scope limitation) and the results of the assessments performed. 

Appendix A of OMB Circular No. A- 123 constitutes the criteria to be used in conducting our audit. 
The procedures described above included, but were not limited to, inquiries of management and review 
of supporting documentation. 
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FINDINGS AND RECOMMENDATIONS 



A. Testing (Notification of Findings and Recommendations (NFR) No. DHS PA5-08-02) 
Background: 

DHS's planning and testwork selection was guided by its multi-year implementation plan for 
compliance with OMB Circular No. A-123, Appendix A. Management focused on the remediation 
of internal control weaknesses at components that have pervasive material weaknesses (i.e. United 
States Coast Guard and Federal Emergency Management Agency) rather than testing internal 
controls that are known to be ineffective. Therefore, OMB approved this multi-year 
implementation plan, as well as subsequent revisions, which is designed to implement control 
testing over multiple years. For agencies with OMB approved multi-year implementation plans, 
OMB states in the Frequently Asked Questions Pertaining to OMB Circular A-123, Management's 
Responsibility for Internal Control, Appendix A, that an agency is considered compliant if the 
agency demonstrates how it will meet the A-123, Appendix A requirements by September 2008. 
However, OMB will continue to work with agencies that are challenged by significant and long- 
term material weaknesses, such as DHS. Although OMB approved DHS' multi-year 
implementation plan in FY 2008, DHS will not be in full compliance with the Circular until it 
performs both remediation and testing of internal controls over all material processes/components. 
Furthermore, the conditions discussed below also need to be addressed before DHS will be in full 
compliance with the Circular. 

Condition: 

We noted the following conditions related to the control testwork DHS planned for FY 2008: 

• Only tests of design (TODs), not tests of operating effectiveness (TOEs), were performed at the 
following material processes/components: 

• DHS Headquarters - Financial Systems Security and Payment Management 

• Transportation Security Administration (TSA) - General ledger management, Grants 
Management, Revenue Management, Receivable Management, and Human Resources and 
Payroll Management 

• Customs and Border Protection (CBP) - Financial Systems Security, Property Management, 
Revenue Management, Receivable Management, and Human Resources and Payroll 
Management 

• Immigration and Customs Enforcement (ICE) - Financial Systems Security, Revenue 
Management, Receivable Management, and Human Resources and Payroll Management 

• Federal Law Enforcement Training Center (FLETC) - Financial Systems Security, Property 
Management, and Payment Management 

• U.S. Citizenship and Immigration Services (USCIS) - Financial Systems Security and 
Human Resources and Payroll Management 

• U.S. Secret Service (USSS) - Financial Systems Security and Human Resources and Payroll 
Management 

• Testwork was not performed over the material and significant processes at the United States 
Coast Guard (USCG) and Federal Emergency Management Agency (FEMA) in FY 2008. Per 
the FY 2008 ICOFR Playbook, USCG and FEMA focused on remediation of material 
weaknesses. 
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• Testwork was not performed over the Financial System Security and Budgetary Resources 
Management processes at TSA due to a focus on remediation of material weaknesses over these 
areas in FY 2008. 

• The following components were not included in the scope of ICOFR planning, except for entity- 
level controls: Domestic Nuclear Detection Office (DNDO), Management and Analysis 
(MGA), National Protection and Programs Directorate (NPPD), and Office of Health Affairs 
(OHA). As these are newer components or are undergoing mergers and consolidations, DHS 
excluded these components from its A- 123 assessment in order to focus on "standing up 
operations." 

Cause: 

Much of DHS's planning and testwork selection was guided by its multi-year implementation plan for 
compliance with OMB Circular No. A- 123, Appendix A. Although OMB has approved this multi-year 
implementation plan, as well as subsequent revisions, it is designed to implement control testing over 
multiple years. 

Effect: 

Testwork over ICOFR at the above listed components may identify further material weaknesses or other 
deficiencies that were not previously identified through the external audit, due to a lower threshold 
required to be used by management. In addition, DHS will not be in full compliance with the Circular 
until it performs both remediation and testing of internal controls over all material 
processes/components. 

Recommendations : 

In order to achieve full compliance with OMB Circular No. A- 123, we recommend that DHS continue 
implementation of its multi-year plan in coordination with OMB, to eventually include performing the 
following: 

1 . Perform both tests of design and tests of operating effectiveness for all material processes 
across the Department to identify any potential material weaknesses or significant deficiencies 
not identified through tests of design or in the external audit. 

2. Implement testing of ICOFR at USCG and FEMA to identify any potential material weaknesses 
or significant deficiencies not identified in the external audit. 

3. Implement testing of ICOFR over the Financial Systems Security and Budgetary Resources 
Management processes at TSA to identify any potential material weaknesses or significant 
deficiencies not identified in the external audit. 

4. Include the new or recently merged/consolidated components in the scope of the ICOFR 
planning to identify any potential material weaknesses or significant deficiencies not identified 
in the external audit. 

B. Monitoring Procedures (NFR No. DHS PA5-08-01) 

Condition: 

We noted the following conditions related to monitoring procedures performed by the Department 
during FY 2008: 

• The Department's monitoring procedures at mature components (i.e., CBP, USCIS, ICE, TSA, 
FLETC, USSS, and S&T) over the Entity Level Controls, General Ledger Management, and 



6 



Fund Balance with Treasury processes concluded that the controls monitored in FY 2008 
appeared to be operating consistently with those tested in FY 2007. The monitoring procedures 
performed did not identify any new control deficiencies in FY 2008. As a result, the 
monitoring procedures performed did not detect a control deficiency at TSA related to Entity 
Level Controls or control deficiencies at ICE, S&T, and FLETC related to environmental 
liabilities in the General Ledger Management process. These control deficiencies were noted in 
the Independent Auditors' Report (IAR) as significant deficiencies at the Department-wide 
level. 

Cause: 

The Department's monitoring procedures were not robust enough to detect potential new control 
deficiencies. DHS focused its FY 2008 monitoring efforts on the remediation of control 
deficiencies identified in FY 2007, rather than on monitoring the ongoing effectiveness of controls 
tested in FY 2007. 

Effect: 

The Department's monitoring procedures did not detect new significant control deficiencies in FY 
2008. 

Recommendations : 

We recommend that DHS: 

1. Perform more thorough monitoring procedures to identify changes to controls, control risks, or 
the operation of controls, such as: 

a. Implement a more rigorous review to ensure that proper accounting rules and standards are 
being implemented; 

b. Implement a system where high risk areas such as of segregation of duties are monitored 
more closely than other areas, including performing detailed walk-throughs of processes 
and interviews with accounting personnel throughout the year; 

c. Expand the monitoring activities that are currently in place throughout the year to allow 
early detection and potential correction of control deficiencies and to catch potential 
weaknesses that may arise during the fiscal year; and 

d. Implement changes to the monitoring process whereby several of the activities are 
performed on a much more detailed and lower management level while still involving key 
management at DHS. 

C. Control Evaluation (NFR No. DHS PA5-08-04) 

Condition: 

We performed a review of Management's assessment of internal controls in FY 2008 for the DHS 
Office of Financial Management (DHS-OFM); CBP, ICE, USCIS, FLETC, and TSA and noted that 
although management identified some key controls, management did not identify enough key 
controls to identify weaknesses in the following processes, specifically: 

• Management did not identify enough key controls necessary to conclude on the design of the 
controls over Revenue/Receivables Management at CBP, General Ledger Management at TSA, 
and Property Management at CBP. 
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• Management did not identify enough key controls necessary to conclude on the operating 
effectiveness of the controls over Budgetary Resources Management at CBP and Property 
Management at TSA. 

Cause: 

DHS Management's selection of key controls to test for proper design and, if applicable, operating 
effectiveness, did not identify and/or test key controls that address certain risks and/or assertions 
related to line items that have a significant financial statement impact to detect significant 
deficiencies in the above listed processes. 

Effect: 

Management's assessment of internal control over financial reporting did not identify some of the 
weaknesses identified by the external auditor in the IAR. 

Recommendation: 

We recommend that DHS reassess the controls identified and determine if additional key controls 
should be tested to cover all risks and/or assertions related to significant line items. For additional 
key controls identified, assess the controls and perform procedures over such controls that have a 
significant financial statement impact to ensure Management's responsibility for establishing and 
maintaining adequate internal control over financial reporting for DHS. 

D. Documentation (NFR No. DHS PA5-08-03) 

Condition: 

KPMG reviewed the U.S. Department of Homeland Security's documentation of planning, testing, 
and monitoring as related to OMB Circular No. A-123, Appendix A, and noted the following: 

• DHS performed a "macro" level risk assessment and materiality calculation, and significant 
components were identified based on gross costs. In addition, the FY 2008 ICOFR Planning 
Memorandum states that qualitative factors were also considered in determining the test plan. 
However, there is not a clear linkage between these quantitative and qualitative factors and the 
resulting A-123 test plan. For example, the grants process was tested at the Science and 
Technology Directorate (S&T) and the receivable management process was tested at ICE. 
Although these are immaterial processes quantitatively, KPMG noted through inquiry that 
qualitative factors such as news media coverage were considered when determining the test 
plan. However, the consideration of qualitative factors is not clearly documented in the test 
plan. 

• The Department documented its testing procedures and results in the areas it performed TODs 
and TOEs over in FY 2008 {e.g., Entity Level Controls at Headquarters and General Ledger 
Management at TSA). However, the Department did not clearly document the full extent of 
monitoring procedures it performed during FY 2008 {i.e., over the Entity Level Controls, 
General Ledger Management, and Fund Balance with Treasury processes at mature 
components). 

• Through review of Management's TODs at DHS-OFM, CBP, ICE, USCIS, FLETC, and TSA, 
Management did not thoroughly document the TOD procedures in FY 2008 to clearly indicate 
the nature, timing, and extent of the work performed. Furthermore, for processes in which a 
TOE was performed in FY 2008, DHS did not re -perform the TOD as this was performed in FY 
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2007. However, KPMG noted per discussion with the Director of the Internal Control Program 
Management Office that Management assessed whether there had been changes in these 
processes, but did not fully document the nature, timing, and extent of procedures performed 
over the TOD in FY 2008. Thus the documentation did not clearly indicate that the control 
evaluated in FY 2007 was still properly designed and implemented in FY 2008. 

• At DHS-OFM, CBP, ICE, USCIS, FLETC, and TSA, Management inconsistently identified the 
laws and regulations tested. In some instances on the control evaluation matrix the financial 
reporting assertion column appropriately identified "LR" as an assertion and the specific law or 
regulation in the risk column (e.g. Prompt Payment Act). However, this documentation was not 
consistent as KPMG noted several instances in which the risk column did not identify any 
specific law or regulation. 

• Management did not aggregate the results of its testing over direct and material laws and 
regulations for each Internal Control Component (e.g. a conclusion over laws and regulations 
over Payment Management). 

• The TOE documentation at DHS-OFM, CBP, ICE, USCIS, TSA, and FLETC did not indicate 
the following: 

• Methodology used to select the sample (i.e. computer sampling tool), 

• A description of the population sampled, 

• Procedures, if any, to determine the completeness of the population from which 
samples were selected; and 

• Justification of the sample size is based on appropriate guidance per the Government 
Accountability Office/ President's Council on Integrity and Efficiency's Financial 
Audit Manual, as documented in the Playbook; however, Management did not 
document the sample size rationale for the type of control tested (i.e. yearly, monthly, 
recurring, etc.). 

• The TOE documentation at DHS-OFM, CBP, ICE, USCIS, TSA, and FLETC did not 
consistently identify the period in which the control was tested (i.e. as of September 30, 
2008). 

• At CBP and ICE, certain control failures described on the Summary of Aggregated 
Deficiencies (SAD) indicated the existence of a compensating control; however, the 
compensating control was not specifically identified. For example, we noted instances in 
which controls on the SAD indicated that a compensating control exists, but the 
compensating control is not referenced in the SAD nor does Management indicate if the 
compensating control is effective at mitigating the risk. Furthermore, we noted at DHS- 
OFM, USCIS, FLETC, and TSA that Management did not identify any compensating 
controls for failures described on the SAD. 

Cause: 

DHS Management did not thoroughly document its procedures performed over OMB Circular No. 
A-123. 
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Effect: 

Based on the documentation provided, a third party reviewer is unable to clearly determine if 
management performed adequate procedures to comply with the Circular. 

Recommendations : 

We recommend that DHS: 

1. Clearly document the linkage and/or process of the qualitative and quantitative factors 
considered during planning to the resulting test plan. 

2. Implement an overall system of documenting the Department's monitoring activities and results 
to allow third party review of such materials. 

3. Add documentation to the existing Control Evaluation Matrix (or a new document, if 
practicable) to indicate the nature, timing, and extent of the tests of design performed. Although 
OMB approved the multi-year control evaluation process, it is recommend that Management 
clearly document that the TOD was reassessed for the current year and any changes identified 
are documented/updated in the TOD. 

4. Cite each law or regulation whenever the "LR" assertion is tested. 

5. Aggregate the results of testing over direct and material laws and regulations for each Internal 
Control Component so that Management can determine its overall compliance with the law or 
regulation. 

6. Document the following four items for each TOE tested: 

a. Methodology used to select the sample (i.e. computer sampling tool); 

b. A description of the population sampled; 

c. Procedures, if any, to determine the completeness of the population from which 
samples were selected; and 

d. Document the sample size rationale in the TOE testwork and clearly indicate 
the type of control tested (e.g. yearly, monthly, recurring, etc.). 

7. Consistently identify the period for which controls are tested. 

8. Specifically identify each compensating control as well as assess its design, implementation, 
and operating effectiveness. Ensure that Management has performed a thorough review to 
determine if any compensating controls exist. If there is no compensating control, consistently 
indicate as such in the matrix. 
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MANAGEMENT RESPONSE 

Management has prepared an official response presented as a separate attachment to this report. In 
summary, management agreed with our findings and their comments were responsive to our 
recommendations. We did not audit management's response and, accordingly, express no opinion 
on it. 
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KEY DOCUMENTS AND DEFINITIONS 



This section provides key definitions and documents for the purposes of this report. 

The Federal Managers ' Financial Integrity Act (FMFIA) requires that Executive Branch Federal 
agencies establish and maintain an effective internal control environment according to the standards 
prescribed by the Comptroller General. These standards are published in the Government 
Accountability Office's (GAO) Standards for Internal Control in the Federal Government (see 
below). In addition, it requires that the heads of agencies annually evaluate and report on the 
effectiveness of internal control and financial management systems. 

GAO's Standards for Internal Control in the Federal Government (Standards) define internal 
control as an integral component of an organization's management that provides reasonable 
assurance of effectiveness and efficiency of operations, reliability of financial reporting, and 
compliance with applicable laws and regulations. 

The Department of Homeland Security Financial Accountability Act (DHS FAA) appoints a Chief 
Financial Officer (CFO) for DHS. Furthermore, the DHS FAA requires that the Secretary include 
an audit opinion of the internal controls over financial reporting in the Department's Performance 
and Accountability Report (DHS issues an Annual Financial Report). 

Office of Management and Budget (OMB) Circular No. A-123, Management's Responsibility for 
Internal Control, provides guidance on internal controls and requires agencies and Federal 
managers to 1) develop and implement internal controls; 2) assess the adequacy of internal controls; 
3) separately assess and document internal control over financial reporting; 4) identify needed 
improvements; 5) take corresponding corrective action; and 6) report annually on internal controls. 
The successful implementation of these requirements facilitates compliance with both FMFIA and 
the Chief Financial Officers Act. 

An internal control deficiency exists when the design or operation of a control does not allow 
management or employees, in the normal course of performing their assigned functions, to prevent 
or detect misstatements on a timely basis. 

A significant deficiency is a control deficiency, or combination of control deficiencies, that 
adversely affects DHS' ability to initiate, authorize, record, process, or report financial data reliably 
in accordance with U.S. generally accepted accounting principles such that there is more than a 
remote likelihood that a misstatement of DHS' financial statements that is more than 
inconsequential will not be prevented or detected by DHS' internal control over financial reporting. 

A material weakness is a significant deficiency, or combination of significant deficiencies, that 
results in more than a remote likelihood that a material misstatement to the financial statements will 
not be prevented or detected by DHS' internal control over financial reporting. 

The Internal Controls over Financial Reporting (1C0FR) Playbook was developed by the ICOFR 
PMO to assist DHS in meeting the financial accountability requirements outlined in the DHS FAA. 
The ICOFR Playbook outlines the Department's strategy and process to resolve material 
weaknesses and build management assurances. On an annual basis, the ICOFR Playbook is 
updated to enhance its existing guidance, as necessary, and establish milestones, which will be 
monitored by OCFO throughout the year. 
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DHS' FY 2008 Secretary's Assurance Statement is dated November 13, 2008, and identifies six 
material weaknesses over ICOFR at FEMA, USCG, and TSA. The Secretary did not provide 
reasonable assurance that ICOFR was operating effectively, as not enough testing was completed. 
The Assurance Statement was included in DHS' FY 2008 Annual Financial Report. 
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U.S. Department of Homeland Security 

Washington, DC 20528 




Homeland 
Security 



April 23, 2009 



MEMORANDUM FOR: Anne Richards 

Assistant Inspector General for Audits 

FROM: Peggy Sherry f^***^ 

Acting Chief Financial Officer 

SUBJECT: Performance Audit of DHS ' Implementation of OMB Circular No. 

A- 123, Management's Responsibility for Internal Control 

Thank you for the opportunity to comment on the Performance Audit of DHS' Implementation 
of OMB Circular No. A- 123, Management's Responsibility for Internal Control. We concur 
with the reports findings and recommendations. DHS has appropriately planned and 
implemented its assessment of internal control over financial reporting, consistent with OMB 
guidance and the legislative intent of the Department of Homeland Security Financial 
Accountability Act. The Department will continue to focus its approach on corrective actions 
and gradually introduce test work to assess the effectiveness of the Department's internal control 
over financial reporting. In closing, we look forward to continue our partnership and the 
opportunity to implement the integrated internal control and financial statement audit. 
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